[Fwd: Re: [Bf-python] newbie]

[Willian Padovani Germano]

Hi, Jacek : )

> Is it possible to create virus in Povray language?
Well, what is a virus?  If you consider it generally as a recorded sequence
of actions (usually harmful) that is "played" once you execute it, commonly
able to replicate itself and "infect" other files, then yes, any language
with access to the file system can be used to write viruses.  Or, in the
case of scripts, used to hang the program (and maybe the system, in some
os's).

> If not, they I see no reason to care about security in Blender Python.
> Sure, you can delete all your ${HOME} with Python script, but it's your
> decision what script you are running, so only virus may be real problem.

It's one way to "deal" with the problem.  But consider what can be done in
Python, specially if the script is distributed "compiled".  You could bundle
a virus inside the script package and write it to the user's home dir (for
example a replacement for some shell command, which would harm users that
put "./" in their path.  You could read some private data and send it via
internet connection, etc, etc.

Leaving it all to the users to take care of themselves is not gentle enough
for something like Blender.  We really need to investigate a little more.
I'm not advocating complicate work-arounds, just that we understand better
what can happen.

That's why trusted repositories would be good, besides confort to find it
all in one place and no 404's.  Add to that a warn for users to be careful
with scripts they got somewhere else, specially compiled ones, and we
already have a basic protection scheme.

--
Willian, wgermano at ig.com.br